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A Formally Specified Program Logic 
for Higher-Order Procedural Variables and non-local Jumps 

T. Crolard 
December, 2011 

Abstract 

We formally specified a program logic for higher-order procedural variables and non-local jumps with Ott and Twelf. 
Moreover, the dependent type systems and the translation are both executable specifications thanks to Twelf's logic 
programming engine. In particular, relying on Filinski's encoding of shift/reset using callcc/throw and a global meta- 
continuation (simulated in state passing style), we have mechanically checked the correctness of a few examples (all source 
files are available on request). 



1 Introduction 

We formally specified the formal systems described in 
[CrolO, CPU] with Ott [SNO+07] and the Twelf proof as- 
sistant [PS99] . These formal systems are: 

• The functional language F (which is our formulation 
of Godel System T) equipped with two usual type sys- 
tems, a simple type system IS and a dependent type 
system ID which is akin to Leivant's MILP [LeiOO]. 
In particular, dependent types include arbitrary for- 
mulas of first-order arithmetic. 

• The imperative language I (essentially Loop" from 

[CPV09]) is an extension of Meyer and Ritchie's Loop 
language [MR76] with higher-order procedural vari- 
ables. Language I is also equipped with two (unusual) 
type systems, a pseudo-dynamic simple type system 
IS and a dependent type system ID. 

• A compositional translation from I to F is also defined 
[CPV09] in both the pseudo-dynamic and dependent 
frameworks. 

The main difference from the description given in [CPU] 
comes from the fact that the dependently-typed programs 
contain proof annotations and are actually isomorphic to 
proof derivations (this is required to obtain executable 
proof checkers from the specification of the dependent type 



systems in Twelf). As a simple example of such proof an- 
notations, the dependently-typed imperative procedure for 
addition is given in Figure 1. 

A second minor difference is a consequence of our en- 
coding of first-order quantifiers using Twelf higher-order 
abstract syntax. Quantified variables have to be dealt with 
separately, and the elimination rule for the existential quan- 
tifier is thus split into a cut rule and a left introduction rule. 

Moreover, the type systems and the translation are all 
executable specifications thanks to Twelf's logic program- 
ming engine. In particular, the imperative counterpart of 
Filinski's encoding of shift /reset [DF89, Fil94] described in 
[CPU] and the examples from [Wad94] have been mechan- 
ically checked. The correctness of third example (which 
requires the more general type system) is shown in full in 
Figure 2. 

In Section 2, we present syntax of I and F, the func- 
tional simple type system FS (Section 2.1), the imperative 
pseudo-dynamic type system IS (Section 2.2) and the trans- 
lation form IS to FS (Section 2.3). In Section 3, we present 
syntax of languages I and F extended with dependent types 
and proof annotations, the functional dependent type sys- 
tem FS (Section 3.1), the pseudo-dynamic imperative de- 
pendent type system ID (Section 3.2) and the translation 
form ID to FD (Section 3.3). 



est p-add = proc VnVm[a;:nat(n), y:nat{m)] out [z:nat{add{n,m))] { 
z := y :> {?7nat(i)} [add{0, m) — m]; 
for /:nat(/) := until x { 
inc{z); 

z := z :> {77nat(?')} [add{succ{l),m) = succ{add{l,m))]; 
}z:nat{add{l,m)); 



Figure 1: Dependently-typed addition 
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est shift = proc [p:proc ([proc Vn([nat(n), ~A] out [nat(F32(r).)), ~A]), ~proc Vn([nat(n), ~A] out [nat(F32(n)), ~-A])] 

out [proc Vn([nat(n), r^A] out [nat(-F32(n)), ~^]), '^proc Vn([nat(n), i^A] out [nat(-F32 (n)), ^-^A])]), 
mfcSi'^proc Vn([nat(n), r^A] out [na.t{Fs2{n.)), ^A])] out Bu[r:na.t{u), mfc:~nat(-F32(u))] { 

mk := mk2] 

est reset = proc Vx[p:proc ([~nat(F32(a;))] out [H, mk2:'^A] out [r:nat(F32(a;)), mfe:~-A] { 

mk := mk2; 
k:{ 

est m = mfc; 

mfc := proc [r:nat(F32(a;))] out { 
jump(fc, r, m)[Z:±]; 

}; 

var y := *; 
p(m/i;; y, mk); 

jump(mfe, y)[r:iiat(-F32(a:)), mkir^A]; 
}[r:nat(F32(a;)), mfc:~A]; 

}; 

k:{ 

est q = proc \/'x[v:nat{x), mk2:'^A] out [r:iiat{F32(3:)), mk-.r^A] { 
mfc := mk2 ; 

est anonym = proc [mfcS:~nat(F32(x))] out [2://, mk:r^H] { 
mfc := mk2; 

jump(fc <: {'u/[nat('u), ~nat(-F32(w))]}{a;}, v, mk)[z:H, mki'^H]; 

}; 

reset {x} (anonym, mk; r, mk); 

}; 

var y := *; 

p{q, mk; y, mk); 

jump(m/c, y)[r:nat(0), mfc:~nat(i^32(0))]; 

[ e 3u[r:nat{u), m,k:^nat(F32{u))] ] 
}3u[r:nat(w), m/c:~nat(i^32(u))];?u. 
[ u e Bu[r:na.t{u), mfe:'--'nat(F32 ] 

}; 

est reset = proc [p:proc (['^proc Vn([nat(n), /^A] out [nat(F32(r(.)), out Bv[nat(v), ~nat(v)]), mk2:'^A] 

out [r:proe Vn([nat(n), ^^A] out [nat(-F32(n)), '^A]), mkir^A] { 

mk := m.k2; 
k:{ 

est m = mk; 

mk := proc [r:proc Vn([nat(n), ~-A] out [nat(-F32(n)), ~A])] out [Z:±] { 
jump(fc, r, m)[Z:±]; 

}; 

var y := *; 

p{mk: y, mk);7v. 

jump(mfc. i/)[r:proc Vn([nat(r),). '^A] out [nat{i^32(^))i ~-A]), mfci^A]; 
}[r:proc Vn([nat(n), ^A] out [nat(/''32{'n.)), '^A]), mfc:^A]; 

}; 

est a = proc [m,k2:^A] out [z:nat{add{3. 2)), mfc:'^A] { 

est p_add — proc {x}yy[X:i\at{x), Y:x\at{y). mfcS:~A] out [Z:nat(a(/rf(x, y)), mA;:~A] { 
mfc := mk2: 

Z := X :> {var_2 /iLat{var_2)}[add{x, 0) = x]; 
for 2 : nat(z) := until Y { 
inc(Z); 

( :> {vor_5}[Z:nat(var_5)][add(a;, S'ucc(*)) = succ(add(x, i))]) 
}[Z :nat {add{x, i))]; 

h 

est q = proe [mfe;8:^proe Vn([nat(n), ^^A] out [nat(F32(n)), '--'A])] out 3v[r:nat(v), mfc:'--'nat(v)] { 

mk := mk2; 

est p = proc [/:proc Vn([nat(n), f^A] out [nat(-F32 (n)), ~A]), mfe;g:'^proe Vn([nat(n), ^A] out [nat(F32(n)), '--'A])] 

out [/t:proc Vn([nat(n), r^A] out [nat(i*'32 (n)), ~A]), mfci'-^proc Vn([nat(n), ^A] out [nat(-F32 (n)), '--'A])] { 
mk := mk2; 
h:=f; 

}; 

var b := *; 

shift{p, mk; b, mk);lu. 

r := 3 :> {var_4 /Tiat{var_4)}[F:^2{^) = 3]; 
for i : nat(i) := until h { 

r :=2 :~> {^varS / nat{var-5)}[F^2{succ{_i)) = 2]; 
}[r:nat(F32(»))]; 

[ -F'32(ii) € 3'i;[r:nat('i;), mA;:~nat(D)] ] 

}; 

var mk := mk2; 
var g := *; 

reset{q. mk; g, mk); 
var x := *; 
5{0}(0, mk; x, mk); 
var y := *; 

mfc; y, mk); 

p.add{3}{2}{x :> {var.6 /nBLt{var.6)}[3 = ^32(0)], y :> {var.7 /nat{var.7)}[2 = ^32(1)], mk; z, mk); 



Figure 2: Dependently- typed example with shift /reset (imperative version of example 3 from [Wad94]) 
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2 Grammars and judgments for FS and IS 



ident, x, y, z ::= variable: 

I variable 

idents, x, y, z ::= variables: 



X S 

(f) S 



jenv, E ::= Environments: 

I {} empty environment 

I # s 

I E, a; : r ident declaration 



terms, t, u ::= Variables: 

I s 

\ t,t s 

I t s 

I («) s 



I ^ 

I 

I h t2 

I inx : T t 

I fn (f : f) => t 

I succ (t) 

I Pred (t) 

I rec (ii, (2, ta) 

I let X = tiin t2 

I let (a;) = tiinh 

I 

I (<) 



Term: 

var 
zero 

application 

abstraction 

multi-abstraction 

successor 

predecessor 

recursor 

let 

match 
tuple 



typ, T 



T 
± 

nat 

r ->• 
~ r 



Type: 
unit 
void 
nat 
imply 
not 
tuple 



typs, 



T,T 
T 

(r) 



Types: 



env, r, CI, 7, oj ::= Environments: 

I empty environment 
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r,x -.T 

X : T 

(r) 



ident declaration 
ident declaration 



block: 
block 



command, c 



for y ~0 until e b 

y-e 
inc{y) 
dec (y) 
e(e; y) 



command: 
block 
for 

assign 
inc 
dec 
call 



sequence, s 



£ 

c; s 

est y = e;s 
var y ~ e;s 
var y; s 

is) 



sequence: 

empty sequence 

empty sequence 

command 

constant 

variable 

variable 



number, q 




1 

2 
3 
4 
5 

succ (q) 



number: 
zero 



expression, e, p 



proc [7] out M{s} 



expression: 
variable 
star 
number 
procedure 



expressions, e 



expressions: 



e, e 

e 

(el 



prop, T, a 



nat 

proc ([r] out [r']) 
(r) 



proposition: 
unit 

nat 
proc 



props, T, a 



propositions: 



primitives 
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f-typing ::= 

I t = t' 

I t = t' 

I a: : T e E 

I E\- t-.T 

I E,f:f=E' 

I E, (f> : r h t : t' 

I S h (t) : (f) 



ti/prng ::= 

I t = t' 

I a; : T e r 

I .T : T c r 

I n[x : r] = n' 

I Q[f : fi = n' 

I r,7 = r' 

I U! cQ 

I ^\x=OJ 

I n = f : f 

I af : T = uj 

I r;a h e : r 

I r;fih(e):(f) 

I r;Q\-s>n' 



translation ::= 

I M* = r 

I (t)* = (r) 

I (5)* = 

I q* = t 

I = < 

I (el* = f 

I = t 



judgement ::= 

I primitives 

I f-typing 

I iypwiS 

I translation 



Formulas equality 
Terms equality 
Lookup 
Type check 
Append 

Type check term in extended environment 
Type check terms 



Propositions equality 

Lookup ident 

Lookup idents 

Update 

Multi-update 

Append 

Subset 

Restriction 

Split 

Init 

Typecheck expression 
Typecheck expressions 
Typecheck sequence 



Types translation 
Types translation 
Sequence translation 
Number translation 
Expression translation 
Expressions translation 
Sequence translation 
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2.1 Functional simple type system FS 

Formulas equality 



Terms equality 

t = t 

Lookup 

a; : T e S, X : r 

X ^ y a; : r e S 
a; : T e E, J/ : r' 



Type check 



X : r e S 
E h a; : T 



E h : nat 

E h t : nat 
E h succ (t) : nat 

E h t : nat 
E h pred (t) : nat 

E, a; : T h i : t' 
EI-fna;:r=>t:T-)-r' 

E h fi : T -» t' E h fa : t 
E h ti fa : r' 

E h ti : nat E h fa : r E h ts : nat -)• (r -)• r) 
E h rec (ti, fa, fa) : T 

E h (t) : (f> 

E h ti : r E, ?/ : r h fa : r' 
E h let 2/ = ti in fa : r' 

E h ti : r E, (f> : r h fa : r' 
E h let (f) = ti in fa : r' 

Append 



E,():() = E 

E,£: f = E' 
E, (x, a;) : (t, t) = E', a; : t 

Type check term in extended environment 



{form_eq_refl) 

I t = t' 
{term_eq_refl) 

a: : r g E 
(f_lookupj) 

(f_lookupji) 

I E h ^ : T 
(tc_var) 

(tc_zero) 
(tc_succ) 
(tc_pred) 
{tc_lam) 
{tc_app) 
(tc_rec) 
(tc_tuple) 
(tc_let) 

(tc_match) 

I S,a:-r = S' 

(appj) 

(appji) 
T,, (x) : T \- t : t' 
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S,f:f=E' E'hirr' 

5], (f ) : h t : T' {TCTE_PRODUCT) 

Type check terms I E h (t) : (r) I 



E h : (tcts_empty) 
E h i : r E h (t) : (r) 

.pi..-.-. ^ (tcts_cons) 

E h (t, t) : (r, r) 
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2.2 Imperative simple type system IS 

Propositions equality 



Lookup ident 



Lookup idents 



Update 



Multi-update 



Append 



Subset 



Restriction 



a; : T e r, a; : r 



X ^ x' a; : r e r 
a; : r e r, x' : r' 



: c r 

X -.T eT x:f<ZT 
x,x : T,T CT 



{n,x: t')[x ■.T] = {n,x: t) 

X / x' njx : t] = g' 

(n, x' : t')[x : t] = {Q',x' : r') 



a[a:rl=n' Q'[a: : r] = 0" 
nis, a; : f , r] = fi" 



r,() = r 

r,7 = r' 



r,{7,a;:T) = r',x:r 



()cn 



ui c Q X : r e n 

(oJ, X : r) C f2 



= 



0\3 = ui y.TeQ 



(PROP-EQJD) 

I X : T g r 
(lookup j) 

(lookup Ji) 

I s : T c r 

(lookup_idents_i) 

(lookup JDENTSJl) 

Q.[x : r] = O' 

(UPDATEJ) 

(UPDATEJl) 

I n[g : f] = n' 

(multi_updatej) 

(multi_updateji) 

I r,7=Tn 

(append _l) 
(append Jl) 



u; c n 
(tc_subsetj) 

(tc_subset_ii) 

f2|g = 01 
(tc_restrict_i) 

(tc_restrict_ii) 



8 



Split 



Q = X : f 



() = (): 

CI = X : T 



(0, X ■.t) = {x, x) : (f , r) 



Init 



Typecheck expression 



: T = 

X : T = uj 
{x, y) -.f = {LO,y:T) 



X -.T eT 



r;Q\-x:T 

x : T E CI 
r;Q\-x:T 

r; n h ★ : T 
T; Q h g : nat 



J = y : a uj = z : r z : T = uj' r,7 = r' r';a;'l-s>a; 
F; f2 h proc [7] out : proc ([(?] out [r]) 



Typecheck expressions 



Typecheck sequence 



r;nh():() 

F; O h (e) : (r) F; Q h e : T 
F;nh(e,e):(f,r) 

F;n h £>n 

F;ni-e:r F, 1/ : r; n h s > n' 
F; n h est 2/ = e; s > n' 

F;nhe:T F; O, : t h a > O', ^ : r' 
F; n h var y ~ e; s>Q' 

oj C CI u! = x : a r;ui \- s t> ui' uj' = x : f Cllx : fj = CI' T;Cl' \- s' > CI" 

F;n h {s}oj;s't>Cl" 

y : nat e CI F; n h s > n' 
F;n h inc (y); s t> CI' 



(tC-Splitj) 

(tC -SPLIT Jl) 







X : 


T = oj 



(tcjnitj) 

(tcjnitji) 

F; n h e 

(t_env_i) 

(t_envji) 
(t_unit) 
(t_num) 

(t_proc) 

r;nh(e):(f) 1 
(t_exps_i) 

(t_expsji) 

F; n h a > n' 

(t_empty) 
(t.cst) 
(t_var) 

(t_block) 
(tjnc) 



9 



y : nat eQ T; h s > O' 

r;n h dec()/);st>0' (t_DEC) 

y.ren r;QI-e:T' n[y : t'] = Q' T;n'\-s>Q" 

r;Qh2;:= e;s>Q" (t_ASSIGN) 

a; C n F; f2 h e : nat F, ?/ : nat; to \- s > ui F; f2 h s' > f2' 

r; n h for y-0 until e {s}<^; s' > fl' {t_for) 

F;QI-p:proc([a]out[r|) F; O h (e) : (a) a[g:fl=n' F; fl' h a > Q" 

r;fi|-p(e;«);s>n" (t_call) 
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2.3 Translation from IS to FS 

Types translation 



Types translation 



Sequence translation 



Number translation 



Expression translation 



Expressions translation 



(nat)* = nat 



jfy = (r) {f'r = if') 

(proc ([r] out [f']))* = (f> -)• (f') 



{)* = 



jfy = (f) {ry = r 

(f,r)* = (f,r) 



{)* = 



(xy = t 



{x, xy = {t, x) 



0* =0 



q* = t 



succ (g)* = succ (t) 



q* = t 
[qy = t 



{xy = X 



W* = 



■■ z : T = t 7 = X : (T (a)* = (r) 

(proc [7] out [ct)]!*})* = fn (a; : f) => t 



{S)*=t {ey = t 

(e, ey = t, t 



Sequence translation 



iry = T 

(tr_type_1) 
(tr_type_2) 

(tr_type_3) 

(rr = (r) 
(tr_types_1) 

(tr_types_2) 

I {sy = t 

(trjdentS-I) 
(trjdents_2) 

q* = t ] 

(tr_num_1) 
(tr_num_2) 

I {ey = t 

(tr_exp_1) 
(tr_exp_2) 
(tr_exp_3) 
(tr_exp_4) 

(tr_exps_i) 
(tr_exps_ii) 

I = * 
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[sy = t 

01 = 

{ef = t {s)% = t' 
(var X := e; s)i = let a; = t in t' 

(e)* = t {s)t = t' 
(est X = e; s)t = let x = tint' 

je)* = t {s)% = t' 
{x := e; s)t = let i = t in t' 



{tr_seq_1) 
{tr_seq_2) 
{tr_seq_3) 
{tr_seq_4) 
{tr_seq_5) 
{tr_seq_6) 
{tr_seq_7) 

(W-;*2)| = let(2-) = tiinfe {TR_SEQ_8) 

O) = g (f)* = » (g)* = (f) (e)* = fo (si)*- = fa (^2)^ = fa 
(for?/ := until e{si}w;S2)| = let (z) = rec (fc, (u>, fn !/ : nat => fn (« : f ) => fa)infe (tr_SEQ_9) 



(inc (a;); s) 


t = let a; = 


succ (x) in t 








(dec {x); s) 


t = let X = 


pred (a;) in t 


(e)* = t 


(el* = u 


= t' 


{e{e\z);s 


)% = let («) 


= t{u) in t' 


ijj = z : a 


= fa 


(«2)i = fa 
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3 Grammars and judgments for FD and ID 



ident, x, y, z ::= 
I 

idents, x, y, z ::= 



fenv, E 



terms, t, u 



term, t, u 



form, ifi 



variable 



X, X 




X 


s 


(x) 


s 


{} 




'S,x : (fi 






s 


t,t 


s 


ii, 


s 




s 


X 









1 


s 


2 


s 


3 


s 


4 


s 


5 


s 






(nx : if ^ t 




in{x : ifi) ^ t 




m 


s 


Xn.t 


s 


?n.t 


s 


t{i} 




succ (t) 




pred (t) 




rec{ti,t2, ta) 




let X = ti'm 1-2 




k = 'h 




t :> ip[t'] 


s 


{i,t: ^) 





{t) ^ 

let {x) = ti in t2 
throw^ ti t2 
callcc t 

it) s 



X 

T 
± 



variable: 



variables: 



Environments: 

empty environment 
ident declaration 

variables: 



term: 
var 
zero 



application 

abstraction 

multi-abstraction 

meta-application 

generalization 

any 

instance 

successor 

predecessor 

recursor 

let 

axiom 
subst 
witness 
tuple 

degenerated tuple 

match 

throw 

callcc 



formula: 
var 
true 
false 
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1 nat(i) 




nat 




1 i = 




equals 




(fi^ if' 




imply 




1 




not 




1 Vn ifi 


s 


forall 




1 3n ifi 


s 


exists 






s 






1 {n/f} 


s 


meta^abstraction 




1 <^[^' = 


s 


meta^substitution 




1 iV) 




tuple 




1 (V) 


s 




forms, 






formulas: 






s 






1 


s 






1 ¥5 


s 






1 


s 


meta^application 




1 (V?) 


s 




absterm, t 






Parametrized term: 




1 n t 


s 




absforms, <p 


::= 




Parametrized formulas: 




1 n 1-^ </? 


s 




ind, i 


::= 




individuals: 




1 




zero 




1 1 


s 






1 2 


s 






1 3 


s 






1 4 


s 






1 5 


s 






1 succ(i) 




successor 




1 pred(i) 




predecessor 




1 flf/f/ f , 22 ) 




addition 




sub{ii,i2} 




subtraction 




1 mult(ii,i2) 




multiplication 




1 ^32(0 




F32 




1 n 


s 


variable 


env, r, fl, 7, u! 






Environment: 




1 




empty environment 




1 r,a;:V 




ident declaration 




1 X \ ij) 


s 


lUCllU ^wlCVjlCLi. CLultJi.1 




1 


s 


meta^application 




1 {«/r} 


s 


meta^abstraction 




1 r[n = j] 


s 


meta^substitution 




1 (r) 


s 




absenv, 6 


::= 




Parametrized existential 




1 n^T 


s 




genv, 0, 9 






Existentially quantified 




1 [f^l 




simple 




1 3n e 


s 


binder 




1 ew 


s 


meta-application 




1 (©) 


s 
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absqenv, 9 ::= 

I {^/e} 



command, c ::= 

I {s}e 

I for?/: nat (n) := Ountil e{s}[a;] 

I for y : nat(n) := until e {s}uj 

I y ■■= <i 

I inc (y) 

I dec(j/) 

I e{e;y) 

I jump(e,e)e 

I y ■■ {s}e 



sequence, s 



I est y = e; s 

I var y := e;s 

I var ?/; 5 

I 

I 

I [i e e]s 

I s :> e[e] 

I (^) 



6od3/, b ::= 

I 1-^ s 



number, q ::= 

I 

I 1 

I 2 

I 3 

I 4 

I 5 
I 



expression, e ::= 

I ^ 

I * 

I 9 

I e[i\ 

I e{i} 

I e <: <?{i} 

I e :> V;[e'] 

I ii = 12 

I proc h 



header, h ::= 

I h]oute{s} 

I ftW 

I Vra A 



expressions, e 



I e, e 



Parametrized existentially quantified environments: 

S 

Command: 
block 
S for 
S for 

assign 

inc 

dec 

call 

jump 

label 

Sequence: 

S implicit empty sequence 

S explicit empty sequence 

S command 

S constant 

S variable 

S variable 

S meta-application 

S abstraction 

S witness 

S subst 
S 

Parametrized sequence: 

S meta-abstraction 

Number: 
zero 

S 
S 
S 
S 
S 

successor 

Expression: 

variable 

star 

number 
S meta-application 

procedTire instance 

continuation instance 
S subst 

axiom 

procedure 

Header: 

parameters 
S meta-application 
S generalization 

Expressions: 

S 
S 
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primitives 



e 

(el 



prop, V, P 



X 

ii = «2 
T 
T 
± 

nat (i) 
procp 



Dependent type: 
var 

equality 
true 

true 

false 

false 

nat 

proc 

meta-application 



absprop, 4' 



Parametrized dependent type: 



props, 'ijj, p 



tp,tp 



Dependent types: 



meta-application 



ahsprops, t/j 



Parametrized dependent types: 



output, <f> 



3n (j> 

m 



Existentially quantified dependent type: 
dependent types 
existential quantification 
meta-application 



absoutput. 



Parametrized existentially quantified dependent type: 



prototype, p 



Universally quantified prototype: 
( [V'] out (/>) in/out parameters 

Vn p S universal quantification 

p[i] S meta-application 

{n/p} S meta-abstraction 



h i = i 



Axioms 



f -typing 



f = if' Formulas equality 

a; : e E Lookup 

T,\- t : Type check term 

E h (t) : [0) Type check terms 

T,,x : (p = T,' Append environments 

S, (J) : ip\- t : If' Type check term in extended environment 
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typing 



translation 



judgement 





Formula equality 


7 = 7' 


Environment equality 




Lookup ident 


x^T 


Not in environment 




Not in quantified environment 


yee 


Lookup ident 


X :'ip CT 


Lookup idents 


n[x : -tp] = n' 


Update 


Q[x : i/?! = a' 


Multi-update 


r;n[x:ip]\- s>e 


Type check with updated environment 


r; n[f : v^i h s > e 


Type check with updated environment 


T; n[a;I h s > 


Type check with updated environment 


r,7 = r' 


Append 


c n 


Subset 


Q|j = u 


Restriction 


Q = X : ip 


Split 


e = x:<j) 


Split quantified environment 


Q<= x-.-ip 


Zip 


Q X : 4> 


Zip quantified environment 


X : ip = u) 


Init 


V;Q'r e:xp 


Typecheck expression 


r; Q h (e) : (t?) 


Typecheck expressions 




Defined negation 


F; h s > 6 


Typecheck sequence 


T; Q[0]1 h s l> 6' 


Typecheck sequence with updated environment 




Type translation 


= (^) 


Types translation 


(7)* = {x) : m 


Environment translation 




Parametrized environment translation 


(i>y = V 


Parametrized type translation 


W* = {0) 


Parametrized types translation 


i<t>r = V 


Quantified types translation 


{ey = {x):<p 


Quantified types translation 


(pT = 9 


Prototype translation 


{sy = t 


Idents translation 


q* = t 


Number translation 


{hy = t 


Header translation 


{ey = t 


Expression translation 


(<?)* = (i) 


Expressions translation 




Sequence translation 




Loop body translation 


primitives 




axiomes 




f-typing 




typing 




translation 





Axioms 

Axioms 



h i : 



h pred(0) = 



(ax_refl) 
(ax_pred_0) 
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h pred{succ{i)) = i {ax_pred_s) 

h add{0, i') = i' (ax_add_0) 

h add{succ{i),i') = succ{add{i,i')) (ax_add_s) 

h add{i',Q) = i' (ax_add2_0) 



h odd(i', 5ucc(i)) = succ{add{i', i)) (ax^dd2_s) 



h TO««i(0, i') = i' (ax_mult_0) 



h mult{succ{i), i') = add{mult(i, i'), i') {ax_mult_s) 



hF32(0) = 3 {AX_F32_0) 



h F32isucc(i)) = 2 (AX_F32_s) 
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3.1 Functional dependent type system FD 

Formulas equality 



Lookup 



Type check term 



= 



X ^ y X : If & 
X : If & H, y : (p' 



X : if ei^ 



T.}- x:ip 

S h : nat(O) 

E h t : nat(j) 
S h succ(t) : nat(s«cc{i)) 

T., X : ip \- t : ip' 
T, \- fnx : ifi ^ t : ip ^ ifi' 

T. \- ti : tp ^ if' "Eh t2 ■■ ip 
T, \- h h ■■ f' 

VJ ■ S h t[I] : ip[I] 
E h Xn.t[n] : Vn <p[n] 

E h t : Vn (p[n] 
E h t{i} : (p[i] 

^^jP)-- (y) 
E h (t) : 

E h ti : 1^ T,, y : ip \- t2 ip' 
E h let ?/ = ti in i2 : 'p' 

Eh h-.tp E,{x) : tph t2 ■■ if' 
E h let (f> = ti in t2 : if' 

E h t : <p[i] 

E h (j, t : 3n <^[n]) : 3ra (^[n] 

Ehti:nat(») E h fa : y[0] ViV ■ E, y : nat(JV) h felAT] : vg[iV] -» y>[CTCc(iV)] 
E h rec(ti, t2, Ara.fn y : nat(n) => t3[n]) : ip[i] 

H '-1 = l2 

E h ii = 12 : ii = 12 
h ii = 82 



E h 82 = ii : 82 = *i 



= 

{form_eq_i) 

x : ip eT, 
(f_lookupj) 

(f_lookupji) 

I E h f : y I 
(tc_var) 

(tc_zero) 
(tc_succ) 
{tc_lam) 
{tc_app) 
{tc_forall_i) 
{tc_forall_e) 
(tc_tuple) 
(tc_let) 
(tc_match) 
(tc_existsj) 
(tc_rec) 
(tc_ax_i) 

(tC-AXJI) 
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Type check terms 



S h f : ifi[i2] T, \- t' : h = h 
E h i :> 3n ¥'[»][*'] : 

S h fa : -.y; S h fa : i/g 
E h throw ti fa : tp' 

T. \- t : ^(p ^ <f 
E h callcc t : ip 



t:ip T.h [t] : (0) 

Append environments 

S,():() = S 

E,f : E' 
E, {x,x) : {0,ip) = i:',x:ip 

Type check term in extended environment 

E, a? : 1^ = E' E' h t : 



E, (x) ■ {ip) h t : if' 

VI ■ E, {x} : y[J] h tjl] : p' 
E, (a?) : 3n ip[n\ h Tn.t{n\ : tp' 



(tc_equal_e) 
(tc_throw) 
(tc_callcc) 

Eh(t-):(yn 
(tc_empty) 

(tc.cons) 

E,g:y = E' 
(appj) 

(appji) 

Ti,{x) : ip\- t : y?' | 
(tc_product) 

(tcexists) 
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3.2 Imperative dependent type system ID 

Formula equality 



tjj = t/j' 



Environment equality 



Lookup ident 



Not in environment 



Not in quantified environment 



Lookup ident 



Lookup idents 



Update 



Multi-update 



= 



7 = 7 



X ^ x' X -.ij) & T 
X : t/j &T,x' : if>' 



x^O 

X ^ x' x 

X ^T,x' : if)' 

2/0[r] 
VJ ■ ;/ e[J] 

y ^^n Q[n] 

y-i>er 
i/e [r] 

y e 3n G[n] 

: c r 

X -.ii) er X : if CT 
x,x : ip,^ <ZT 



{Q.,x : '>p')[x : V] = (n, a; : V) 

x^x' Q.[x : = 
{Q.,x' : il>')[x : ij] = {Q.',x' : i>') 



(PROP-EQJD) 



7 = 7' 



(env_eqjd) 



x-.ip eT 



(lookup j) 



(lookup Ji) 



x^T 



(notinj) 



(notinji) 



y^Q 



(notin_qenvi) 



(notin_qenvii) 



yee 



(belongs-i) 



(belongsji) 



(lookupjdentsj) 



(lookup JDENTSJl) 



n[x : v] = n' 



(UPDATEj) 



(UPDATEJl) 
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nio : 01 = n 



{multi_update_ 



n[x:^ = ci' n'[x ■.tij] = n" 

Type check with updated environment 

n[x:ip] = n' r;n'i-s>e 



Type check with updated environment 

njx : v/| = n' T; n' h g > e 



r;fi|i: VI I- s>© 

Type check with updated environment 

LO = x:'if F; Qfx :ip}\-s>e 



Append 



Subset 



Restriction 



Split 



Split quantified environment 



r; nH h s > e 



r,() = r 



r,7 = r' 

r,(7,x:V) = r',a;:V 



oj C Q X : ip & ^ 
{oj,x : tp) C Q 



nio = 



() = (): 



n = . 



(n, X -.tp) = {x, x) : iii, Ip) 



CI = X : Ip 
ln]=x:[^] 

WN ■ {&[N] = X : <p[N]) 
3n ©[n] = T : 3n (p[n\ 



(MULTI_UPDATE_ri) 

(PRE_UPDATE_l) 
T; : ■0] h s > e 



(m_pre_updatej' 



r; nH h s > e 



(m_update_short_i) 



r,7 = r' 



(append _l) 

(append Jl) 

I ui C O 
(tc_subsetj) 

(TC_SUBSET_n) 

(tc_restrict_i) 
(tc_restrict_ii) 



Cl = X -.tp 

(tc_split_i) 

(TC_SPLIT_n) 

I 9 = g: 
(tc_qsplit_i) 

(TC_QSPLIT_ri) 
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Zip 



Q<= X -.tp 



0^0 ■■ 



Zip quantified environment 



Init 



Typecheck expression 



(Cl,x : ip) <= {x,x) : {ip,ip) 



n<=x:il! 
ln]^x:[^] 

e[I] <^ X : (f>[I] 
3n ©[n] <= X ■.'3n <j>[n] 



{) : V = 



X : ip = UJ 



(x, y) -.Ip = {ui,y:tl}) 



X -.ip eo. 

r;n h a; : V 
r;ni-*:T 

T; n h : nat (0) 

T; n h g : nat (i) 
F; n h s(g) : nat {succ{i)) 

^ h = h 

r;il \- ii = 12 ■■ ii = h 

\- ii = 12 

F; f2 h 12 = ii : = ii 

F;n h e : ■i/)[i2] ^;0^e':^l = ^2 
r;n h e :> {n/5/'[n]}[e'] : ii[h] 

F; Q h e : proc Vn p[n] 
F; Q h e{i} : proc p[i] 

~ 3n </)[ra] = procVn p[n] F; f2 h e : procVn p[n] 
F;n h e <: {n/<?iM}{j} : procp[i] 

'y = y:p 9 = z : (j) z : T = uj' F,7 = r' r';u'\-st>e 
F; n h proc [7] out 9{s} : proc {[p\ out (f)) 



(tc_zip_i) 

(tC-ZIPJI) 

I Q <= x: <f> 

(tc_qzip_i) 

(TC_Qzip_n) 

I X : = uj 
(tcjnitj) 

(tcjnitji) 

F;n h e : V^H 
(t_env_i) 

(T_ENV_n) 

(t_true) 
(t_zero) 
(t_succ) 
{t_ax_i) 
(t_axji) 
{t_equal_e) 
(t_procjnst) 
(t_contjnst) 
{t_proc_decl) 
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V/ • T; n h proc h[I] : proc p[I] 
F; f2 h procVn h[n\ : procVn p[n] 



Typecheck expressions 



Defined negation 



Typecheck sequence 



r;nh():() 



T-n\- (e) : {ip) r;n\- e:ip 
r;nh(e,e):(^,V) 



WN- (~ (j>[N] = procp[JV]) 
~ 3n (j>[n] = procVn p[n] 



n' c n 



r;0 h sl>e[i] 
r;a h [i e 3n 0[n]]s>3n 0[n] 

r;ni-e:ii = i2 T; n h s [> efte] 
r;n h 5 :> 3n 0[n][e] > e[ii] 

r;ni-e:i/) T, y:i/);fi|-sl>e 
T; Q h est J/ = e; s > 

r;ni-e:i/' T; fi. ?/ : i/) h s [> 9 j/ ^ 
F; n h var y := e; s > 

r;ni-s>e TMidj}- s' >e 

r;QI- {s}e;s'l>0 

e = x:<t> ~</> = v> r,j/:i/;;ni-s>6' r;ni6>ih/>e 

r;n h 1/ : {s}e;s'>0 

r;nhe:~i^ T; O h (e) : (^/^) r;a[6llhs'>0 
F; Q h jump (e, e)e; s' > 

y : nat (i) G n F; : nat (s)icc(i))] h s > 
F;ni-inc(j/);s>0 

2/ : nat (i) GO F; ^[j/ : nat (pred(i))\ h s > 
F;ai-dec(j/);s>0 

y.ipeQ T;n\-e:ip' F; : V'] I" s > 
F;ni- 2/ := e;s>0 

w[0] C n F; Q h e : nat (i) \fN ■ T, y : nat {Ny,u[N]\- s[N]> [uj[succ{N)]] T; nloj[i\} \- s' > Q 
F; f2 h for y : nat(n) := until e {s[n]};j[„]; s' l> 



(t_proc_abs) 

F;nh(el:(V;) ~ 
(t_exps_i) 

(t_exps_ii) 

I ~ = 

{t_neg_def_i) 

(t_neg_defji) 

I F;Qh5>0 

(t_empty) 

(t_witness) 
(t_subst) 
{t_cst) 
(t_var) 
(t_block) 
{t_label) 
(tjump) 
(tjnc) 
(t_dec) 
(t_assign) 
{t_for) 
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r;n h e : proc([^out(^) F ; Q \- (e) : (p) 6 ^ z : r;Qlej\-s>e 
r-fl}- e{e; z); s > e 



(t_call) 



Typecheck sequence with updated environment I F; n|6| h s > 0' 



r;n|Q'| h si>e' 

r;n[[Q']lhs>e' (tC_UPDATE_SEQJ) 

v/-r;n|e[/]i h s[/]i>e' 

r;QpneMlh?n.5[n]>e' {tc_update_seqji) 
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3.3 Translation from ID to FD 

Type translation 



nat (j)* = nat(j) 



Types translation 



±* = ± 

{k = h)* = ii = h 

[pY = V 
(procp)* = ^f> 

{ipy = (y) ■({}* = 



Environment translation 



0* = ():() 



(7)* = (x) ■■ (y) i^* = (p 

(7, x:ip)* = {x, x) : {ifi, ip) 



Parametrized environment translation 



Parametrized type translation 



Parametrized types translation 



Quantified types translation 



(n 1-^ 7[ra])* = z: n 1-^ ip[n] 



{{n / tj}[n]})* = 3ra ip[n\ 



VjV ■ i^])* = {0[N]) 
(n 1-^ ''P[n])* = (n 1-^ 



= m 

VAf ■ {(t>[N]y = ^[N] 
(3n 9!>[ra])* = 3n (p[n] 



(tr_type_nat) 
(tr_type_var) 
(tr_type_true) 
(tr_type_false) 
(tr_type_equals) 
(tr_type_proc) 



(tr_typesj) 

(tr_typesji) 

(7)* = (g):(y) 1 

(tr_env_i) 

(tr_env_ii) 
(tr_abs_env_i) 



(tr_abs_type_i) 



(tr_abs_types_ 



I W* = y 

(tr_qtypes_i) 
(tr.qtypesji) 
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Quantified types translation 



Prototype translation 



Idents translation 



Number translation 



Header translation 



Expression translation 



(7)* = (S) : m 

([7])* = (x) : m 

VAT - (6>[JV])* = {x) : <fi[N] 
(3n 6[n])* = {x} : 3n (fi[n] 



(([V^]out</>))* = (^^¥" 

■ {p[N]r = v[N] 
(Vra p[n])* = Vra (^[n] 



0* = 

{x, x)* = {t, x) 



0* = 



q* = t 

s(g)* = succ (i) 



= (7)* = (a):(y) 

([7] out 6»{s})* = fn (f : (^) t 

VN-(h[N])* = t[N] 
(Vn /i[n])* = \n.t[n\ 



q* = t 



(q)* = t 
(x)* = X 

{*y = 



(ii = h)* = ii = 1 

(ft)* = t 
(proc h)* = t 

(e{i})* = t{i} 



I (gr = (g):yn 
(tr_qenv_i) 

(tr_qenv_ii) 

I (pY = v 

(tr_prototype_i) 

(TR_PROTOTYPE_n) 



I i=^)* = t 

(trjdentsj) 

(tr_idents_ii) 

q* = t 

(tr_num_i) 

(tr_num_ii) 

I ihr = t 

(tr_header_i) 
(tr_header_ii) 

I ('')'- = f 1 

(tr_exp_num) 
(tr_exp_var) 
(tr_exp_star) 
(tr_exp .axiom) 
(tr_exp_proc) 
(tr_expjnst) 
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(e)* = t VN ■ {d}lN]y = tfilN] 



(e <: {n/<p[n]}{i})* = in vi : ip[i] => (t {i, vi : 3n ip[n])) 

{er = t {er = t' ({n/^[«]}r = ^ 
(e :> {n/ip[n]}[e']}* = t :> (p[t'] 



Expressions translation 



Sequence translation 



0* = {) 

(e)* = (t) (e)* = t 
(e, e)* = (t, t) 



{)*■ = iP) 

(ey = t {s)t = t' 
(var X := e; s)t = let x = tint' 

[eY = t {s)t = t' 
(est X = e; s)t = let x = tint' 

{er = t (s)t = t' 



(x := e; s)i = let x 


■ = tint' 


= t 




(inc (x); s)t = let x = 


succ (x) in t 


= t 




(dec (x); s)t = let x = 


pred (x) in t 


(ey = t (e)* = (5) 


(sy = t' 


(e(e; z); s)l = let {z} 


= t (u) in t' 


9 = z:(j) {si)*g=ti 


(S2)i = <2 



({sijs; S2)i = let (z) = ti int2 

{n 1-^ uj[n])* = z : n 1-^ <f[n\ (e)* = u' (z)* = w {n i-^ si[n])g = n i-^ t[n] is2)i = t' 
(for 2/ : nat(n) := until e {si[n]}i^[„]; S2)| = let («) = rec(u', (u), An.fn j/ : nat(n) fn (« : (^[n]) 

VAr.(^[Af])| = f[Ar] 
(?n.s[n])i = ?n.t[ra] 

(5):- = t (ey = (z):^ 

([je0]s)| = (j,t:¥'> 

(s)S = t jey = u {ey = {z):<p 

(s :> e[e])t = t :> ^[u] 

(ey = t (eT = (g) {sy, = t' {Oy = {z):^ 
(jump (e, e)e; s)t = let (z) = throw t (u) in t' 

{ey = (i) : y (s)| = t {s% = t' 
{y : {s}e; = (•^ = callcc (fn j/ : ^tp => t) in t' 



(tr_exp_inst') 

(tr_exp_subst) 

ra* = (i) 
(tr_exps_i) 

(tr_expsji) 

I = t 
(tr_seq_empty) 

(tr_seq_var) 

(tr_seq_cst) 

(tr_seq_assign) 
(tr_seqjnc) 
(tr_seq_dec) 
(tr_seq_call) 

(tr_seq_block) 

t[n\)int' {TR-SEQ_FOR) 
(tr_seq_any) 
(tr_seq_witness) 
(tr_seq_subst) 
(tr_seq_jump) 
(tr_seq_label) 
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Loop body translation I {6)| = t 



yN-{s[N])*g = t[N] 

in ^ sln])t = n^ t[n] {tr_body_abs) 
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